» General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) became part of UK law from 25 May 2018. The Regulation contains provisions and requirements pertaining to the processing of personal data.
The GDPR applies to ‘controllers’ and ‘processors’ of personal data. A controller determines how and why personal data is processed; a processor is responsible for processing personal data on behalf of a controller in accordance with their instructions. Both controllers and processors are subject to GDPR requirements and are required to demonstrate their compliance. Articles 42 and 43 of the GDPR provide for GDPR certification as a voluntary mechanism for verifying and demonstrating compliance. The Information Commissioner’s Office (ICO) in the UK and its counterparts in Member States are promoting certification as an effective way for organisations to demonstrate compliance with the GDPR.
UKAS has been working closely with the ICO on the framework for GDPR certification and the processes involved; specifically on the development of certification and accreditation requirements for UK GDPR schemes in line with European Data Protection Board (EDPB) guidelines. The EDPB is the EU organisation in charge of the application of the GDPR and is composed of the supervisory authorities from all Member States (in the UK this is the ICO). Once approved by the ICO, GDPR certification scheme criteria will need to be submitted to the EDPB for its opinion. The GDPR stipulates that certification bodies which deliver approved GDPR certification schemes must be accredited against the requirements of ISO/IEC 17065:2012 and the additional requirements set by the ICO.
The final certification and accreditation annexes to the EDPB guidelines have been adopted. The ICO have published the UK additional accreditation requirements.
For more information on GDPR certification and data protection please see the ICO’s website: https://ico.org.uk/
1 How do I get my GDPR Certification Scheme approved?
Scheme owners need to contact the Information Commissioners Office (ICO) first about getting the criteria in your scheme approved by them. UKAS cannot consider applications from GDPR certification scheme owners until the scheme criteria have been approved by the ICO. Once approved by the ICO the next stage would be for UKAS to evaluate the scheme for its suitability for accreditation purposes. The UKAS evaluation of a new certification scheme is likely to cost approx. £3k. Information on the criteria that your scheme will need to meet can be found on the ICO website and the UKAS website.
2 How do I get my Certification Body accredited?
Certification Bodies (CB) will need to apply for accreditation from UKAS to operate an ICO approved certification scheme. If your scheme is not approved by the ICO you will need to contact the ICO first (see 1 above). UKAS will not accept applications for accreditation unless it is for an approved scheme. You should read the information on the UKAS website about applying for accreditation. The accreditation criteria against which your Certification Body will be assessed are ISO 17065 and the ICO additional accreditation requirements. You should review both of these sets of requirements to determine to what extent your organisation meets them. There is information in the Development section of the UKAS website to assist conformity assessment scheme developers (e.g. ISO 17007. ISO 17067 and ISO TR 17032) Once you have done this please contact UKAS to discuss the application and assessment process. There is information on the UKAS website about the application and assessment process (UKAS application process). The relevant application forms would include the AC1 form (for applying as a process certification body) and the GDPR Confidentiality Waiver (to allow UKAS to share information about your application with the ICO) and form F530 (for the conformity scheme evaluation) If you are not already accredited by UKAS, the assessment costs are likely to be in the range £12k to £15k, with annual costs between £6k and £8k.
3 How do I find a GDPR Certification Scheme to operate (as a Certification Body)?
If you are a CB that wishes to operate a GDPR scheme, you will need to contact a scheme owner. Schemes that have been approved by the ICO will be listed on their website with contact details for the scheme owners.
4 Where can I get my data processes certified?
Please see the information on the ICO website. Schemes that have been approved by the ICO will be listed there with contact details for the scheme owners. Certification Bodies operating approved GDPR schemes will be listed on the UKAS website.
ICO website - https://ico.org.uk/
ICO information on GDPR certification FAQs - https://ico.org.uk/for-organisations/certification-faqs/
ICO webinar: Developing GDPR certification criteria
ICO webinar: GDPR certification: accreditation